How To'sWindows

Fix: The Group Policy Client Service Failed the Logon

Group policy is an account management utility in Windows that lets you predefine the terms of use and interaction of user accounts in a certain group. The group can be standard/limited group, administrators group, guest groups, and any other group you have created. These groups will then be guided by the policy you created. The group policy is therefore invoked during login in depending on which group the user belongs.

Several users have reported a login issue. The system becomes slow on some applications and some do not work. After a restart on their PC, they can no longer log in to the system. On entering a password, the system takes way too long to login and after a while it gives back an error stating ‘Group Policy Client service failed the logon: Access denied.’ For some, they can still be able to log in as an administrator, while others only have one account on their PC; which means they are completely locked out of their system.

This article will explain to you how logging in works and why this problem occurs. We will then give you solutions to this problem.

How logging in works and why a login error occurs

Winlogon communicates with the Group Policy service (GPSVC) through a call upon system startup for computer policy and with user logon for user policy. The Group policy service then isolates itself into a separate SVCHOST process (it is originally running in a shared process with other services). Because communications have already been established before the service isolation, Winlogon can no longer contact the Group Policy service, and this results in the error message that is described in the Symptoms section.

Therefore this error is caused by a group policy that fails to respond or if it stops running. This could be due to bad registry calls or a corrupt registry. Usually, this is caused by system updates and upgrades that might mess with the registry. A bad shutdown or startup process can also cause this issue.

This can also happen when you try to logon using a non admin account in a PC that had some applications or drivers that were installed with admin privileges before. These applications will not support non-elevated environments. The conflict will therefore cause the error. The most application category that causes this issue to so many people is third party web browsers like Google chrome; which doesn’t need admin privileges to run.

Here are solutions on how you can remedy this situation in Windows 10; the methods also work in Windows 8.1. If you are locked out of your computer completely (you had only one account), then you should try method 3.

Method 1: Edit registry using an administrator account

If you are able to login into your computer as in most cases, you can try fixing the registry using the method below. Your registry keys might be missing after a system upgrade (e.g. Windows 7 to Windows 10).

  1. Press Windows Key + R to open run
  2. Type regedit in Run dialog box and hit enter to open the Registry Editor
  3. In the left pane of Registry Editor, navigate to following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc

  4. Make sure that this key is intact but do not change anything
  5. Navigate to this key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
  6. This is the most important path you should look into, as it contains the keys and values referred in the key in step 3.  Below are descriptions what must be present there.
  7. There must be Multi-String value called GPSvcGroup.  If it is missing, right click on the panel on the right and create a new multi-string value named GPSvcGroup and assign it value GPSvc.
  8. Next, you must create a key (a folder) and name it GPSvcGroup – this key normally should be there. To do this, right click on the panel on the right and select New > Key. Name the new key as GPSvcGroup
  9. Then open newly-created GPSvcGroup folder/key, right click on the panel on the right and create 2 DWORD values:
  10. First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
  11. Second is called CoInitializeSecurityParam and it must have value of 1.
  12. Restart your PC after the changes

Method 2: Take ownership of group policy registry key and force the GPSVC to initiate as a separate process from the beginning rather than to act as shared process.

By executing the commands bellow successfully, we force the GPSVC to initiate as a separate process from the beginning rather than to act as shared process. Thus now GPSVC can communicate correctly with Winlogon and there is no error during sign-in process, hence user logon becomes successful.

  1. Press Windows Key + R to open run
  2. Type regedit in Run dialog box and hit enter to open the Registry Editor
  3. In the left pane of Registry Editor, navigate to following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc

  4. We are now going to take ownership of this key so that we can edit it
  5. Right click on the gpsvc (folder) key and select Permissions.
  6. The default owner should be TrustedInstaller. Click on Change in the window that appears.
  7. Click on Advanced in Select User or Group window.
  8. Click Find Now.
  9. Now we have the search results here, pick your user name, click OK.
  10. Then click OK in Select User or Group window as well. Now you have successfully changed the owner.
  11. Once you’ve successfully taken ownership of registry key, close Registry Editor. Open elevated or administrative Command Prompt/PowerShell (press start button, type cmd, right click on cmd and open as administrator) and type following command, hit Enter key:
    reg add “HKLM\SYSTEM\CurrentControlSet\Services\gpsvc” /v Type /t REG_DWORD /d 0x10 /f

  12. You must receive “The operation completed successfully” message. If you’ve not taken ownership of the registry key mentioned in step 3, the command will not execute and you’ll get Access is denied message.
  13. Restart your PC

Method 3: Restore your system to an earlier point when it worked

Restoring your system to a point where it previously worked without the error will solve the issue.

Option 1: If you can log into the system with another account

  1. Right click the start button and choose system
  2. From the left column choose System Protection.
  3. Click the System Restore button
  4. Click the Next button
  5. You may need to check the box at the bottom that says, “Show more restore points
  6. Pick a date/point in time before the problem occurred and restore your system. Your PC will revert to that date and restart (you may lose your programs but your data will be intact).

Option 2: If you cannot log in to the system or you had only one account

By going into the advanced startup options, you can restore your PC to the previous point.

  1. Press the Shift button then restart your PC (you should have the shutdown button on the bottom right corner of your login screen, right click on it to get the restart option)
  2. Windows will then restart and display a Choose an option menu.
  3. Select Troubleshoot > Advanced options > System Restore
  4. Choose a date in time before the problem occurred and restore your system. Your PC will revert to that date and restart (you may lose your programs but your data will be intact).

If your system error persists or you did not have a restore point, you can reset your system. This will however clear all your apps but your data will be kept. Use the advanced startup options but instead choose Troubleshoot > Reset this PC > Keep my files.

Method 4: Reset Google Chrome

Since this is issue is caused by apps that do not need admin permission to install e.g. Google Chrome. Resetting or removing these apps will clear this error.

  1. Press Windows Key + R to open run
  2. Type appwiz.cpl and press enter to open the programs and features window
  3. Look for Google chrome and uninstall it.
  4. If you wish, reinstall it without using admin privileges

Method 5: Turn off fast startup

Windows 10 has a special “fast startup option”. Basically this seems to make your PC take longer to shut down but makes the startup a bit quicker. The prolonged shutdown or shortened startup can create a login problem leading to this error.

  1. Click on Start
  2. Go to Settings
  3. Click on System icon
  4. Go to the Power and sleep section and click on additional power settings
  5. Click on “choose what the power buttons do”
  6. Scroll down to Shutdown settings
  7. Uncheck the box next to “turn on fast startup”
  8. Click save changes
  9. Restart your PC

Method 6: Restart Group Policy Service and Reset Winsock

Restarting these services will resolve the issue.

  1. Press Windows Key + R to open run
  2. Type ‘services’ and hit enter
  3. Search for Group Policy Client and right click on the services and go to properties.
  4. Change its Startup type to Automatic, Click on the Start button, and then Apply > OK.
  5. Right click on the Start button and select Command Prompt (Admin) or Powershell (Admin)
  6. Type the following command and hit enter.netsh winsock reset
  7. Type exit and hit enter to exit command prompt
  8. Restart your PC.

Method 7: Relogging in a specific order

If all the above methods don’t work for you and the issue still persists, you can try relogging into your accounts in a specific order. There are no assurances that this might work but it did for several users. Make sure that you have your work saved before proceeding.

Let’s suppose you have 3 three accounts (or two). One of them is not working where the error comes forward. Here we will refer to the problematic account as Account_Problem and working accounts as Working_1 and Working_2.

Note: You can perform the same ideology even if you don’t have three accounts.

  1. First of all, switch all the users so all three are logged in.
  2. Now, log off (sign out) each account in order (for example Working_1, Account_Problem, Working_2).
    Logging out each account

     

  3. Now, log into the first working account i.e. Log into Working_1 and try to do some task or play some game.
  4. Now log into the second working account i.e. Working_2 and perform some activity there as well.
  5. After all the working accounts have been logged in, log into the problematic account i.e. Account_Problem. Now check if the issue is resolved.

One Comment

Leave a Reply

Your email address will not be published.

Expert Tip

Fix: The Group Policy Client Service Failed the Logon

If the issue is with your Computer or a Laptop you should try using Reimage Plus which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Reimage by clicking the Download button below.

Download Now

I'm not interested

Close